| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANr6G5yBW5JNMk3qvAuyD+OgtnhV6vg2E-41DO51bVtyeSWSNg@mail.gmail.com>
Date: Sun, 15 Feb 2015 11:06:55 -0800
From: Joe Stringer <joestringer@...ira.com>
To: nicolas.dichtel@...nd.com
Cc: Thomas Graf <tgraf@...g.ch>,
Linux Netdev List <netdev@...r.kernel.org>,
Justin Pettit <jpettit@...ira.com>,
Pablo Neira Ayuso <pablo@...filter.org>,
"dev@...nvswitch.org" <dev@...nvswitch.org>
Subject: Re: [RFC net-next 3/4] openvswitch: Add conntrack action.
On 15 February 2015 at 07:08, Nicolas Dichtel <nicolas.dichtel@...nd.com> wrote:
> Le 15/02/2015 05:47, Joe Stringer a écrit :
>
>> On 14 February 2015 at 11:56, Thomas Graf <tgraf@...g.ch> wrote:
>>>
>>> On 02/14/15 at 12:13am, Joe Stringer wrote:
>>>
>>> [..]
>>>
>>>> +static bool skb_has_valid_nfct(const struct net *net, u16 zone,
>>>> + const struct sk_buff *skb)
>>>> +{
>>>> + enum ip_conntrack_info ctinfo;
>>>> + struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
>>>> +
>>>> + if (!ct)
>>>> + return false;
>>>> + if (!net_eq(net, ct->ct_net))
>>>> + return false;
>>>
>>>
>>> I'm surprised that this is needed. Shouldn't we call skb_scrub_packet()
>>> between namespaces and invalidate the ct associated with the skb.
>>
>>
>> Right, it was more of a general sanity check which is likely unneeded.
>> I'm not aware of any particular case that this handles.
>
> I agree with Thomas. If we fall into this case, it's probably a real bug ;-)
We can BUG_ON(), then.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists